Joseph Steinberg (CISSP, ISSAP, ISSMP, CSSLP) is a respected cybersecurity expert, executive, and consultant, who is currently serving as C.E.O. of SecureMySocial, a provider of technology that helps businesses protect themselves from the risks of employee social media usage by warning people if they make potentially problematic posts.
Joseph has spent over twenty years in the information technology industry, most recently serving for nine years as CEO of online authentication vendor, Green Armor Solutions, where he remains Chairman, and in several senior capacities at cybersecurity firm, Whale Communications (acquired by Microsoft), for the five years beforehand.
Joseph is the inventor of multiple information-security technologies; his work is cited in over 70 published patents. He has advised various firms and the government on many high-level matters related to cybersecurity, serves as editor of the official (ISC)2 textbook on info-security management, and has authored, or contributed to, several other cybersecurity related books.
Joseph chaired the Financial Advisory Board for a NJ municipality with combined municipal and education budgets of ~$150M, and, in 2007 was named one of New Jersey’s top businesspeople under the age of forty.

Why You Are At Risk Of Phishing Attacks (And Why JP Morgan Chase Customers Were Targeted Last Week)

Last week a significant phishing attack was launched against customers of JP Morgan Chase, as detected by cybersecurity firm Proofpoint and reported by Reuters. As is typical of such attacks, an email impersonating the bank asked recipients of the phishing email to click a link that directed them to a phony bank website operated by the crooks perpetrating the scheme.

The attack included some new technical elements – if a user clicked the link the attackers not only tried to grab credentials to JP Morgan Chase’s systems via the phony login page, but also attempted to install malware that could lead to breaches at other institutions. That said, the basic attack delivery technique remained the same as it has been for many years: Criminals sent a message that looks like it is from a legitimate business and tricked users into clicking a link.

Why is phishing – an attack method that has been around for over a decade – still successful? Why are people still falling prey to such a simple scam? Why are you at risk?

The answer is simple, but, perhaps, a bit painful:

We’ve been focusing on technology, rather than on people. And when we do focus on people we do it wrong.

Phishing, and other spam-related attacks, do not exploit technical vulnerabilities. They leverage a technological medium to exploit human weaknesses. The difference is significant – and game changing. While technical weaknesses can often be addressed with technical solutions, curbing phishing and related scams mandates addressing the underlying human problem at their cores — an issue has nothing to do with the digital age. Deceptive actors impersonating legitimate parties have been conning people since the dawn of civilization.

In fact, a primary reason why phishing continues to be an effective method of attack – even after a decade of anti-phishing efforts – is precisely because anti-phishing technologies are often designed to combat phishing by implementing technical “solutions” rather than addressing the human source of the problem. Technical countermeasures can be circumvented, and if a human target is not otherwise shielded, problems occur. Software that attempts to block or erase phishing emails before a user reads them, for example, does nothing if a user is directed to a rogue website via a text message, and may, at times, even aggravate the problem by lowering a person’s guard when a cleverly constructed email does reach the user; the recipient thinks that illegitimate emails are blocked, and, therefore, grants unwarranted trust to messages that he or she does receive.

Oft-repeated advice to counter phishing is to educate customers about the dangers associated with clicking on links in unsolicited emails or opening unsolicited attachments. (See the FTC’s relevant webpage as an example.) While such a recommendation might, in theory, help, the fact that phishing is still a problem after many years of people preaching about the value of education clarifies beyond a doubt that education is, at best, a partial solution.

Fundamentally, the problem is that, while technology improves rapidly, the human mind takes many years to adapt and evolve. That’s why over time we find criminals increasingly focus on tricking users rather than on exploiting strictly technical vulnerabilities.

As I have said previously: The best way to protect people against phishing is to enable humans to distinguish legitimate entities from fraudulent ones, regardless of how the phishing solicitation reaches them. This can be achieved by leveraging real, psychologically sound site authentication and the human response mechanism behind it, but not by implementing complicated technologies that can, at best, only deliver partial success, and which, at worst, may condition users to fall prey to even more scams than they would have without the technology in place.

Ultimately, cybsersecurity is not about technology. It is about keeping people safe in an increasingly electronic world. When we need to protect humans against making mistakes, we need to apply knowledge of humans, not an understanding of electronics. The importance of such an approach is not limited to combating phishing; it is needed throughout the field of information security.

My business partner, Shira Rubinoff, was a psychologist before entering the information security space a decade ago. While she may have been a pioneer in making such a transition, and has been recognized in the industry for her relevant contributions to the information security field, there remains a severe lack of information security practitioners with similar human-related skills. If we are going to successfully curb attacks that exploit human weaknesses, we will need the wisdom and contributions of many more experts on human behavior.

After all, which do you think will work better and at a greater scale: educating employees and customers for the umpteenth time about the dangers associated with clicking links, deploying the umpteenth generation of email filtering software or actually helping people more easily understand when a certain action is dangerous?

Want to be notified of great articles that can benefit you? Follow me on Twitter at @JosephSteinberg

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Such a good article, that the contrast between the dodgy bit and the rest is exaggerated I think. ‘The Con’ has remained a largely unmolested element of the human experience since Adam and Eve, whatever origins of life model that reference conjures up for each reader respectively. And apart from pulling evolutionary theory’s pants down a little simply by its constancy, it suggests that we remain in part, the same creature over time. On the other hand, the part of human cognition that adapts, can adapt at millisecond speeds–take for instance, a Formula One race car driver–without that speed of cognitive learning and adaptation death is a certainty rather than a possibility. In plainer terms, a sucker is born not necessarily every minute, but rather every time a human is born. As far as value judgements are concerned, I believe we nearly all have the necessary tooling to combat social engineering already within our individual codes. That tooling has to compete with other, learned behaviors not necessarily based in this reality: anyone who takes an interest in me, is genuinely interested in me, for instance. By predisposing our critical thinking resources to filter for social engineering while connecting our existing self-preservation tooling to same, we create a resistant strain. But critical thinking results in discrimination. Discriminating between constructive and destructive intent. If those last two sentences didn’t make you wince, then there’s hope. For you.

Thank you. As you point out, the psychology is more complicated than what can fit in a short article… but, it boils down to the same thing – when it comes to phishing and related scams, people are the key factor…

I agree, Phishing is still an effective and common method of attack and Spear Phishing is even more dangerous when it is used to exploit human weakness.

I disagree with you that “Phishing … do not exploit technical vulnerabilities…”, on the contrary, that exactly what they do. Email systems lack the basic mechanism to authenticate the sender and provide trust relationship indicators to the recipient. That’s exactly what we do at Proofbyte.

The assumption that SPF, DKIM and DMARC provide the authentication is a half-truth. These technologies benefit the senders mostly, as intended by marketers, to increase inbox penetration rate but they do not provide the needed protection to the recipient. Evidently, JP Morgan Chase’s customers are not safe from phishing attack despite the fact that JP Morgan Chase applies DMARC and as most of the ISPs and email providers that these customers are served by.

I agree that SPF, DKIM, and DMARC will not fully solve the problem – for the reasons that I described in this article and in others. Phishing exploits people, not technical vulnerabilities, and if a message makes it through (and messages will eventually do so), people need to be able to distinguish real from fake.

Hi Joseph, Fully agreeing on protecting customers or users. Only educating people is hard, no matter what you educate them they are outsmarted by the fraudsters. That’s why we believe you have to protect the customer against high risk transactions by protecting the transactions of the bank. Taking out the sting of the problem, the money gain, will reduce the threat factor and remove the attention of the fraudsters, liquidating lossing money by the customers and the bank. Henk Bronk, CEO founder & Owner www.Findect.com

You know as much as I love these actresses this is a huge breach of privacy for them. This is not right, and although I can blame the hacker. Lets make one thing abundantly clear. The cloud is not safe, it is not secure and hackers are always going to find a way around it.

So wrote a book you want to release, but have it on the cloud, someone can steal it. Have a photo you want to keep private? If its on the cloud people can get access to it and share it. The cloud is nonsense and putting everything online is a no no.